Termination Analysis of Loops

Similar documents
The Polyranking Principle

Linear Ranking with Reachability

Verification Constraint Problems with Strengthening

Constraint Solving for Program Verification: Theory and Practice by Example

Termination of Polynomial Programs

Proving Unsatisfiability in Non-linear Arithmetic by Duality

Constraint-Based Static Analysis of Programs

Constraint Solving for Program Verification: Theory and Practice by Example

CS156: The Calculus of Computation

Eventual Linear Ranking Functions

What s Decidable About Arrays?

or simply: IC3 A Simplified Description

The Calculus of Computation: Decision Procedures with Applications to Verification. Part I: FOUNDATIONS. by Aaron Bradley Zohar Manna

Discovering Non-Linear Ranking Functions by Solving Semi-Algebraic Systems

Stability and Stabilization of polynomial dynamical systems. Hadi Ravanbakhsh Sriram Sankaranarayanan University of Colorado, Boulder

CS156: The Calculus of Computation Zohar Manna Autumn 2008

Constructing Invariants for Hybrid Systems

A QUANTIFIER-ELIMINATION BASED HEURISTIC FOR AUTOMATICALLY GENERATING INDUCTIVE ASSERTIONS FOR PROGRAMS

Model Based Theory Combination

Formally Analyzing Adaptive Flight Control

Automatic Generation of Polynomial Invariants for System Verification

Complexity Theory VU , SS The Polynomial Hierarchy. Reinhard Pichler

Outline. Complexity Theory EXACT TSP. The Class DP. Definition. Problem EXACT TSP. Complexity of EXACT TSP. Proposition VU 181.

Chapter 3 Deterministic planning

Synthesizing Switching Logic using Constraint Solving

Leonardo de Moura Microsoft Research

Section Summary. Sequences. Recurrence Relations. Summations Special Integer Sequences (optional)

An Abstract Domain to Infer Ordinal-Valued Ranking Functions

Hoare Logic I. Introduction to Deductive Program Verification. Simple Imperative Programming Language. Hoare Logic. Meaning of Hoare Triples

Computability and Complexity Theory: An Introduction

Notes for Lecture Notes 2

An Introduction to SAT Solving

NP-Complete Reductions 2

Quantifiers. Leonardo de Moura Microsoft Research

Generation of. Polynomial Equality Invariants. by Abstract Interpretation

Formal Methods in Software Engineering

The L-depth Eventual Linear Ranking Functions for Single-path Linear Constraint Loops

EE5120 Linear Algebra: Tutorial 3, July-Dec

Topics in Model-Based Reasoning

First-Order Logic First-Order Theories. Roopsha Samanta. Partly based on slides by Aaron Bradley and Isil Dillig

Ranking Abstractions

Deductive Verification

A Termination Checker for Isabelle Hoare Logic

First-Order Logic. 1 Syntax. Domain of Discourse. FO Vocabulary. Terms

an efficient procedure for the decision problem. We illustrate this phenomenon for the Satisfiability problem.

Lecture Notes on SAT Solvers & DPLL

Multiphase-Linear Ranking Functions and their Relation to Recurrent Sets arxiv: v1 [cs.pl] 18 Nov 2018

Complexity. Complexity Theory Lecture 3. Decidability and Complexity. Complexity Classes

SAT-Based Verification with IC3: Foundations and Demands

The knapsack Problem

1 Computational Problems

MAT 242 CHAPTER 4: SUBSPACES OF R n

A Collection of Problems in Propositional Logic

Lecture 20: conp and Friends, Oracles in Complexity Theory

Constraint Solving for Finite Model Finding in SMT Solvers

A Short Introduction to Hoare Logic

The value of a problem is not so much coming up with the answer as in the ideas and attempted ideas it forces on the would be solver I.N.

Synthesizing from Components: Building from Blocks

Generalized Property Directed Reachability

Bjorn Poonen. MSRI Introductory Workshop on Rational and Integral Points on Higher-dimensional Varieties. January 18, 2006

Geometric Quantifier Elimination Heuristics for Automatically Generating Octagonal and Max-plus Invariants

Notes on Inductive Sets and Induction

Constraint Logic Programming and Integrating Simplex with DPLL(T )

YORK UNIVERSITY. Faculty of Science Department of Mathematics and Statistics MATH M Test #1. July 11, 2013 Solutions

Description Logics. Deduction in Propositional Logic. franconi. Enrico Franconi

An Abstract Interpretation Approach. for Automatic Generation of. Polynomial Invariants

Controller Synthesis for Hybrid Systems using SMT Solving

IC3 and Beyond: Incremental, Inductive Verification

CS156: The Calculus of Computation

Linear Programming Redux

MATH 3321 Sample Questions for Exam 3. 3y y, C = Perform the indicated operations, if possible: (a) AC (b) AB (c) B + AC (d) CBA

Understanding IC3. Aaron R. Bradley. ECEE, CU Boulder & Summit Middle School. Understanding IC3 1/55

The Reachability-Bound Problem. Gulwani and Zuleger PLDI 10

Classical Propositional Logic

Efficient Strongly Relational Polyhedral Analysis

From Satisfiability to Linear Algebra

Lecture 59 : Instance Compression and Succinct PCP s for NP

Propositional Logic: Evaluating the Formulas

Math 324 Summer 2012 Elementary Number Theory Notes on Mathematical Induction

Automated Program Verification and Testing 15414/15614 Fall 2016 Lecture 2: Propositional Logic

NORMS ON SPACE OF MATRICES

Final exam study sheet for CS3719 Turing machines and decidability.

1. What is the determinant of the following matrix? a 1 a 2 4a 3 2a 2 b 1 b 2 4b 3 2b c 1. = 4, then det

Scalable Analysis of Linear Systems using Mathematical Programming

15.1 Proof of the Cook-Levin Theorem: SAT is NP-complete

A strongly polynomial algorithm for linear systems having a binary solution

AVACS Automatic Verification and Analysis of Complex Systems REPORTS. of SFB/TR 14 AVACS. Editors: Board of SFB/TR 14 AVACS

Lecture 9: The Splitting Method for SAT

Ranking Abstraction as Companion to Predicate Abstraction

The Trace Partitioning Abstract Domain

Integrating Simplex with DPLL(T )

The Wumpus Game. Stench Gold. Start. Cao Hoang Tru CSE Faculty - HCMUT

Gödel s Incompleteness Theorem. Overview. Computability and Logic

SCICO: Model pp (col. fig: NIL) ARTICLE IN PRESS

Deductive Verification of Continuous Dynamical Systems

Automatic Generation of Polynomial Invariants of Bounded Degree using Abstract Interpretation

Separating Fairness and Well-Foundedness for the Analysis of Fair Discrete Systems

Proofs of Correctness: Introduction to Axiomatic Verification

Math /Foundations of Algebra/Fall 2017 Foundations of the Foundations: Proofs

Overview, cont. Overview, cont. Logistics. Optional Reference #1. Optional Reference #2. Workload and Grading

Transcription:

Termination Analysis of Loops Zohar Manna with Aaron R. Bradley Computer Science Department Stanford University 1

Example: GCD Algorithm gcd(y 1, y 2 ) = gcd(y 1 y 2, y 2 ) if y 1 > y 2 gcd(y 1, y 2 y 1 ) if y 1 < y 2 y 1 if y 1 = y 2 Example: gcd(77, 112) = gcd(77, 35) = gcd(42, 35) = gcd(7, 35) = gcd(7, 28) = gcd(7, 21) = gcd(7, 14) = gcd(7, 7) = 7 2

Example: GCD Program int gcd(int y 1 > 0, int y 2 > 0) while y 1 y 2 do if y 1 > y 2 then y 1 := y 1 y 2 else y 2 := y 2 y 1 done return y 1 Abstract program: Θ : {y 1 1, y 2 1} τ 1 : {y 1 y 2 + 1} {y 1 = y 1 y 2, y 2 = y 2 } τ 2 : {y 2 y 1 + 1} {y 2 = y 2 y 1, y 1 = y 1 } for y 1, y 2 R 3

Example: Termination of GCD δ(y 1, y 2 ) = y 1 + y 2 Θ : {y 1 1, y 2 1} τ 1 : {y 1 y 2 + 1} {y 1 = y 1 y 2, y 2 = y 2 } τ 2 : {y 2 y 1 + 1} {y 2 = y 2 y 1, y 1 = y 1 } is a ranking function y 1 1 y 2 1 is a loop invariant δ is bounded from below: if τ 1 or τ 2 can be taken, δ(y 1, y 2 ) 0 δ decreases on each iteration: if τ 1 or τ 2 is taken, δ(y 1, y 2) δ(y 1, y 2 ) 1 Therefore, GCD terminates. Goal: Find ranking functions and supporting invariants automatically. 4

Ranking Functions 5

Loops Loop Abstraction: L : Θ, T over V: GCD variables V range over R {y 1, y 2 } initial condition Θ is assertion over V y 1 1 y 2 1 transitions τ T are assertions {τ 1, τ 2 } τ(v, V ) over V V Loop Validity: Assertion ϕ is valid over loop L L = ϕ if ϕ holds on all reachable states S L of L. values of (y 1, y 2 ) In practice, replace L = with loop invariants. y 1 1 y 2 1 6

Well-founded Relation (D, ): is well-founded if there is no infinite sequence d 1, d 2, d 3,... where d i D such that ( i) d i d i+1 (d 2 d 1 d 1 d 2 ) Examples: (Z +, <) (R +, ɛ ) for ɛ > 0 x ɛ y x y ɛ (L, ) for lists L l 1 l 2 l 1 < l 2 7

Ranking Function Consider loop L : Θ, T over V. δ : S L R is a ranking function of L if (Bounded) ( τ T ) (Ranking) ( ɛ > 0)( τ T ) L = τ(v, V ) δ(v) 0 L = τ(v, V ) δ(v ) δ(v) ɛ δ, ɛ induce a well-founded relation over S L : for s, t S L, Thus, L always terminates. s t δ(s) δ(t) ɛ 8

Example: GCD Prove δ(y 1, y 2 ) = y 1 + y 2 is a ranking function for GCD. Take loop invariant y 1 1 y 2 1. Choose ɛ = 1. Bounded τ 1 Ranking τ 1 y 2 1 }{{} y 1 y 2 + 1 }{{} y 1 + y 2 0 invariant guard of τ 1 y 2 1 }{{} invariant (y 1 y 2 ) + (y 2 ) y 1 + y 2 }{{}}{{} 1 ɛ substitution by τ 1 9

Example: GCD Bounded τ 2 Ranking τ 2 y 1 1 }{{} y 2 y 1 + 1 }{{} y 1 + y 2 0 invariant guard of τ 2 y 1 1 }{{} invariant (y 1 ) + (y 2 y 1 ) y 1 + y 2 }{{}}{{} 1 ɛ substitution by τ 2 Assertions are valid, so GCD always terminates. 10

Lexicographic Well-founded Relation Given well-founded relations over domains (D 1, 1 ), (D 2, 2 ),..., (D k, k ) define lexicographic well-founded relation over D = D 1 D 2 D k For d = d 1, d 2,..., d k, e = e 1, e 2,..., e k D d e ( i) [d i i e i ( j < i) d j = e j ] d 1,..., d i,..., d k = = i e 1,..., e i,..., e k 11

Lexicographic Ranking Function Consider loop L : Θ, T. Tuple of functions δ : δ 1, δ 2,..., δ k where δ i : S L R and map π : T {1,..., k} comprise a lexicographic ranking function for L if (Bounded) ( τ T ) (Ranking) ( ɛ > 0)( τ T ) L = τ(v, V ) δ π(τ) (V) 0 L = τ(v, V ) δ π(τ) (V ) δ π(τ) (V) ɛ (Nonincreasing) ( τ T ) L = ( j < π(τ))[τ(v, V ) δ j (V ) δ j (V)] 12

Induced Lexicographic Well-founded Relation δ, ɛ induce a lexicographic well-founded relation over S L : for s, t S L, s t ( i) [δ i (s) δ i (t) ɛ ( j < i) δ j (s) = δ j (t)] Thus, L always terminates. 13

Example: McCarthy 91 For n Z +, f(n) = f(f(n + 11)) if n 100 n 10 if n > 100 For every 1 n 92, f(n) = 91, if it terminates. We prove termination for all n Z +. Example: f(89) = f(f(100)) = f(f(f(111))) = f(f(101)) = f(91) = f(f(102)) = = 91 14

Example: Imperative McCarthy 91 int f(int x) int s = 1 while true do if x > 100 then if s = 1 then return x 10 else x := x 10 s := s 1 else x := x + 11 s := s + 1 done Abstract program: for x, s R Θ : {s = 1} τ 1 : {x 101, s 1} {x = x 10, s = s 1} τ 2 : {x 100} {x = x + 11, s = s + 1} 15

Example: McCarthy 91 Prove 10s x + 90 }{{}, }{{} x δ 1 δ 2 π(τ 1 ) = 2, π(τ 2 ) = 1 is a lexicographic ranking function for McCarthy 91. Take loop invariant s 1. Choose ɛ = 1. Show τ 1 δ 2 0 τ 2 δ 1 0 τ 1 δ 2 δ 2 ɛ τ 2 δ 1 δ 1 ɛ τ 1 δ 1 δ 1 16

Example: McCarthy 91 Bounded τ 1 : π(τ 1 ) = 2 Ranking τ 1 : π(τ 1 ) = 2 x 101 }{{} }{{} x 0 guard of τ 1 δ 2 x 101 (x 10) }{{}}{{}}{{} x }{{} 1 guard of τ δ 1 substitution into δ 2 by τ 2 ɛ 1 Nonincreasing τ 1 : 1 < π(τ 1 ) = 2 x 101 10(s 1) (x 10) + 90 10s x + 90 }{{}}{{}}{{} guard of τ 1 substitution into δ 1 by τ δ 1 1 17

Example: McCarthy 91 Bounded τ 2 : π(τ 2 ) = 1 Ranking τ 2 : π(τ 2 ) = 1 s 1 x 100 10s x + 90 0 }{{}}{{}}{{} invariant guard of τ 2 δ 1 10(s + 1) (x + 11) + 90 10s }{{}} {{ x + 90 } }{{} 1 substitution into δ 1 by τ δ 1 ɛ 2 Assertions are valid, so McCarthy 91 always terminates. 18

The Theoretical Landscape 19

Ranking Functions Theorem Every terminating loop has a ranking function. But in general, expressing a ranking function requires FOL with fixpoints, which is incomplete. Therefore, termination is not necessarily semi-decidable. In fact, we show that termination is not semi-decidable for a simple class of loops. 20

Interlude: Linear Loops Consider variables V = {x 1, x 2,..., x m }. homogenous vector: x = (x 1,..., x m, 1) T linear assertion: Ax 0 a 1,1 a 1,m a 1,m+1... a k,1 a k,m a k,m+1 x 1... x m 1 0... 0 0 i {1,...,k} (a i,1 x 1 + + a i,m x m + a i,m+1 ) 0 21

Interlude: Linear Loops Consider variables V = {x 1, x 2,..., x m }. linear loop: L : Θ, T in which all assertions are linear let (xx ) = (x 1,..., x m, x 1,..., x m, 1) T initial condition: Θx 0 transitions: τ i (xx ) 0 22

Theoretical Limitation Consider loops of form: Θ : x i V V for x R n. Restricted subset of linear loops. x i = c i while g T x 0 do x := (A 1 A 2 A k ) }{{} x nondeterministic choice done Theorem Termination of such loops is not semi-decidable (not recursively enumerable). No complete method. 23

Synthesis Problem Identify class of loops Y and class of ranking functions Z such that synthesis of ranking functions of form Z is complete for Y. Examples: Linear ranking functions for linear loops. Lexicographic linear ranking functions for linear loops. 24

Recent Works Colón & Sipma 2001 Synthesis of linear ranking functions for linear loops. Colón & Sipma 2002 Extension to nested loops and multiple paths. Colón, Sankaranarayanan & Sipma 2003 Constraint-based linear invariant generation. Podelski & Rybalchenko 2004 Complete method for linear loops with one transition and no initial condition. Based on linear programming. Bradley, Manna & Sipma 2005 Polyranking-based analysis for polynomial loops with assignment. Bradley, Manna & Sipma 2005 Synthesis of lexicographic linear ranking functions with supporting invariants. 25

Synthesis of Linear Ranking Functions with Supporting Invariants 26

Linear Ranking Function Constraint-based approach: templates with unknown coefficients. Consider linear loop L : Θ, T. For r T x a template (r i are unknown coefficients), r T x is a linear ranking function if (Bounded) ( τ T ) L = τ(xx ) 0 r T x }{{} δ 0 (Ranking) ( ɛ > 0)( τ T ) L = τ(xx ) 0 r T x r T x ɛ 27

Lexicographic Linear Ranking Function Consider linear loop L : Θ, T. T x r T 1 x,..., r }{{} k and π : T {1,..., k} }{{} δ 1 δ k for unknown coefficients r ij and unknown π, is a k-component lexicographic linear ranking function if (Bounded) ( τ T ) (Ranking) ( ɛ > 0)( τ T ) L = τ(xx ) 0 r T π(τ) x 0 L = τ(xx ) 0 r T π(τ) x rt π(τ) x ɛ (Nonincreasing) ( τ T ) L = ( j < π(τ))[τ(xx ) 0 r T j x r T j x 0] 28

Linear Supporting Invariant Ranking functions often require supporting invariants. Consider linear loop L : Θ, T. For Ix 0 a template (I ij are unknown coefficients), Ix 0 is an l-conjunct linear invariant if (Initiation) Θx 0 Ix 0 (Consecution) ( τ T ) Inductive assertion invariant Ix 0 τ(xx ) 0 Ix 0 How do we find the unknown coefficients in the template? 29

Farkas Lemma (1894) System of linear inequalities over real variables x = {x 1,..., x n }: a 1,1 x 1 + + a 1,n x n + b 1 0 S :... a m,1 x 1 + + a m,n x n + b m 0 S entails linear inequality ψ : c 1 x 1 + + c n x n + d 0 if and only if there exist real numbers λ 1,..., λ m 0 such that ( m m m ) c 1 = λ i a i,1 c n = λ i a i,n d λ i b i i=1 i=1 i=1 30

Synthesis Overview Consider loop L : Θ, T over V = {x 1, x 2,..., x m }. Templates: expression c T x, unknown coefficient vector c assertion Cx 0, unknown coefficient matrix C Given templates l-conjunct invariant template Ix 0 (I has l rows) k-component lexicographic ranking function templates {c 1 T x,..., c k T x} Apply Farkas Lemma rules to encode ranking function and supporting invariant conditions. Either use given π or synthesize it. 31

Farkas Lemma Rules: Invariant (Initiation) (Consecution) (Disabled) C i : D i : I : Θx 0 Ix 0 Ix 0 τ i (xx ) 0 Ix 0 Ix 0 τ i (xx ) 0 1 0 false 32

Farkas Lemma Rules: Ranking Function (Bounded) B i : Ix 0 τ i (xx ) 0 c T x 0 (Ranking) R i : Ix 0 τ i (xx ) 0 c T x c T x ɛ 0 33

Example: R 1 for GCD τ 1 : {y 1 y 2 + 1} {y 1 = y 1 y 2, y 2 = y 2 } λ 1 i 1,1 y 1 + i 1,2 y 2 + i 1,3 0 λ 2 i 2,1 y 1 + i 2,2 y 2 + i 2,3 0 λ 3 y 1 y 2 1 0 λ 4 y 1 y 2 y 1 = 0 λ 5 y 2 + y 2 = 0 c 1 y 1 + c 2 y 2 c 1 y 1 c 2 y 2 ɛ 0 λ 1 i 1,1 + λ 2 i 2,1 + λ 3 + λ 4 = c 1 λ 1 i 1,3 + λ 2 i 2,3 λ 3 ɛ λ 1 i 1,2 + λ 2 i 2,2 λ 3 λ 4 λ 5 = c 2 λ 1, λ 2, λ 3 0 λ 4 = c 1 ɛ > 0 λ 5 = c 2 Constraints are over {c 1, c 2, ɛ, λ 1,..., λ 5, i 1,1,..., i 2,3 }. 34

Generated Constraints Constraints are linear if no invariant template is given. Constraints are parametric linear otherwise. Linear, except for a few bilinear quadratic terms (a λ and a supporting invariant template coefficient, e.g., λ 1 i 1,1 ) Decidable [Tarski 1951] Generic solvers based on CAD [Collins 1975] (e.g., Mathematica, Redlog) Specialized solvers [Sankaranarayanan et al. 2004], [Bradley et al. 2005] 35

Synthesis: Soundness and Completeness Special Case Linear loop L : Θ, T has a linear ranking function supported by an l-conjunct linear invariant the constraint system generated by I (D i (C i B i R i )) is satisfiable. τ i T 36

Example: GCD Find Θ : {y 1 1, y 2 1} τ 1 : {y 1 y 2 + 1} {y 1 = y 1 y 2, y 2 = y 2 } τ 2 : {y 2 y 1 + 1} {y 2 = y 2 y 1, y 1 = y 1 } a linear ranking function c T x c 1 y 1 + c 2 y 2 + c 3 with a 2-conjunct supporting invariant Ix 0 y 1 y 2 i 1,1 i 1,2 i 1,3 i 2,1 i 2,2 i 2,3 1 0 37

Example: GCD Invariant Initiation Consecution I : y 1 1 y 2 1 i 1,1 y 1 + i 1,2 y 2 + i 1,3 0 i 2,1 y 1 + i 2,2 y 2 + i 2,3 0 C 1 : i 1,1 y 1 + i 1,2 y 2 + i 1,3 0 i 2,1 y 1 + i 2,2 y 2 + i 2,3 0 y 1 y 2 + 1 y 1 = y 1 y 2 y 2 = y 2 i 1,1 y 1 + i 1,2 y 2 + i 1,3 0 i 2,1 y 1 + i 2,2 y 2 + i 2,3 0 C 2 : i 1,1 y 1 + i 1,2 y 2 + i 1,3 0 i 2,1 y 1 + i 2,2 y 2 + i 2,3 0 y 2 y 1 + 1 y 2 = y 2 y 1 y 1 = y 1 i 1,1 y 1 + i 1,2 y 2 + i 1,3 0 i 2,1 y 1 + i 2,2 y 2 + i 2,3 0 38

Example: GCD Ranking Function Bounded B 1 : i 1,1 y 1 + i 1,2 y 2 + i 1,3 0 i 2,1 y 1 + i 2,2 y 2 + i 2,3 0 y 1 y 2 + 1 c 1 y 1 + c 2 y 2 + c 3 0 B 2 : i 1,1 y 1 + i 1,2 y 2 + i 1,3 0 i 2,1 y 1 + i 2,2 y 2 + i 2,3 0 y 2 y 1 + 1 c 1 y 1 + c 2 y 2 + c 3 0 Ranking R 1 : R 2 : i 1,1 y 1 + i 1,2 y 2 + i 1,3 0 i 2,1 y 1 + i 2,2 y 2 + i 2,3 0 y 1 y 2 + 1 y 1 = y 1 y 2 y 2 = y 2 c 1 y 1 + c 2 y 2 c 1 y 1 + c 2 y 2 + ɛ i 1,1 y 1 + i 1,2 y 2 + i 1,3 0 i 2,1 y 1 + i 2,2 y 2 + i 2,3 0 y 2 y 1 + 1 y 2 = y 2 y 1 y 1 = y 1 c 1 y 1 + c 2 y 2 c 1 y 1 + c 2 y 2 + ɛ 39

Example: GCD Synthesis Θ : {y 1 1, y 2 1} τ 1 : {y 1 y 2 + 1} {y 1 = y 1 y 2, y 2 = y 2 } τ 2 : {y 2 y 1 + 1} {y 2 = y 2 y 1, y 1 = y 1 } Solving the constraint system induced by reveals ranking function I C 1 C 2 B 1 B 2 R 1 R 2 c 1 = c 2 = 1, c 3 = 0 y 1 + y 2 with ɛ = 1, supported by the invariants i 1,1 = 1, i 1,2 = 0, i 1,3 = 1 i 2,1 = 0, i 2,2 = 1, i 2,3 = 1 y 1 1 y 2 1 which proves that GCD always terminates. 40

Synthesis of Linear Lexicographic Ranking Functions with Supporting Invariants 41

Farkas Lemma Rules: Invariant (Initiation) (Consecution) (Disabled) C i : D i : I : Θx 0 Ix 0 Ix 0 τ i (xx ) 0 Ix 0 Ix 0 τ i (xx ) 0 1 0 false 42

Farkas Lemma Rules: Ranking Function (Bounded) B ij : Ix 0 τ i (xx ) 0 c j T x 0 (Ranking) (Nonincreasing) R ij : N ij : Ix 0 τ i (xx ) 0 c T j x c T j x ɛ 0 Ix 0 τ i (xx ) 0 c T j x c T j x 0 43

Synthesis: Soundness and Completeness Theorem (General Case) Linear loop L : Θ, T has a k-lexicographic linear ranking function supported by an l-conjunct linear invariant the constraint system generated by I ( Di ( )) C i B i,π(i) R i,π(i) τ i T is satisfiable for some π : T {1,..., k}. τ i T, j<π(i) (D i N ij ) 44

Synthesizing Lexicographic Ranking Functions The theorem asks for a map π. Can we efficiently find the map? Overview: Initially propose one template component per transition {c 1 T x,..., c n T x} Inexpensive because template coefficients c i appear only linearly in generated constraints. Incrementally build linear order over T. Linear order gives π. Use intermediate partial orders to generate and solve constraint systems to guide search. 45

Simplified Farkas Lemma Rules One component per transition. (Bounded) B i : Ix 0 τ i (xx ) 0 c i T x 0 (Ranking) R i : Ix 0 τ i (xx ) 0 c i T x c i T x ɛ 0 46

Synthesizing Lexicographic Ranking Functions Incrementally build over T : 1. Guess τ i τ j :..., c i T x,..., c j T x,... 2. Generate constraint system and solve. I, C i, D i, B i, R i are fixed. τ i τ j induces N ji : τ j should not increase c i T x Satisfiable Continue search Unsatisfiable Try τ i τ j Satisfiable Continue search Unsatisfiable Backtrack 3. Finished when order is linear and generated constraint system is satisfiable. 47

One Constraint System per Component Given lexicographic template components {c T 1 x,..., c T n x} and partial order over T, solve n constraint systems induced by I τ i (D i C i ) } {{ } Invariant (D j (B j R j )) }{{} τ j ranked by c j T τ i s.t. τ j τ i (D i N ij ) }{{} τ i does not increase c j T if τ j τ i..., c T j x,..., c T i x,... τ j τ i for j {1,..., n}. 48

One Constraint System per Component Advantages: Multiple smaller constraint systems are easier to solve in practice. Invariant template may be instantiated differently for each constraint system. 49

Example: McCarthy 91 Θ : {s = 1} τ 1 : {x 101, s 0} {x = x 10, s = s 1} τ 2 : {x 101, s 2} {x = x 10, s = s 1} split of s 1 τ 3 : {x 100} {x = x + 11, s = s + 1} Find a 3-component lexicographic linear ranking function r T 1 x, r T 2 x, r T 3 x π : T {1, 2, 3} with a 1-conjunct supporting invariant Ix 0 50

Example: McCarthy 91 Iteration 1: One template per transition. {c T 1 x, c T 2 x, c T 3 x} No order assumed between transitions. Three sets of conditions: c T 1 x : I C 1 C 2 C 3 B 1 R 1 c T 2 x : I C 1 C 2 C 3 B 2 R 2 c T 3 x : I C 1 C 2 C 3 B 3 R 3 Induced constraint systems are satisfiable. 51

Example: McCarthy 91 Constraints on c 1 T x: Initiation Consecution I : s = 1 i 1 s + i 2 x + i 3 0 C 1 : C 2 : C 3 : i 1 s + i 2 x + i 3 0 x 101 s 2 x = x 10 s = s 1 i 1 s + i 2 x + i 3 0 i 1 s + i 2 x + i 3 0 x 101 s 0 x = x 10 s = s 1 i 1 s + i 2 x + i 3 0 i 1 s + i 2 x + i 3 0 x 100 x = x + 11 s = s + 1 i 1 s + i 2 x + i 3 0 52

Example: McCarthy 91 Bounded B 1 : i 1 s + i 2 x + i 3 0 x 101 s 0 c 1,1 s + c 1,2 x + c 1,3 0 Ranking R 1 : i 1 s + i 2 x + i 3 0 x 101 s 0 x = x 10 s = s 1 c 1,1 s + c 1,2 x c 1,1 s + c 1,2 x + ɛ 53

Example: McCarthy 91 Iteration 2: Guess τ 3 τ 2...., c 3 T x,..., c 2 T x,... τ 2 should not increase c T 3 x. Three sets of conditions: c T 1 x : I C 1 C 2 C 3 B 1 R 1 c T 2 x : I C 1 C 2 C 3 B 2 R 2 c T 3 x : I C 1 C 2 C 3 B 3 R 3 N 2,3 Induced constraint systems are satisfiable. 54

Example: McCarthy 91 Iteration 3: Guess τ 1 τ 3...., c 1 T x,..., c 3 T x,... τ 3 should not increase c T 1 x. Three sets of conditions: c T 1 x : I C 1 C 2 C 3 B 1 R 1 N 3,1 c T 2 x : I C 1 C 2 C 3 B 2 R 2 c T 3 x : I C 1 C 2 C 3 B 3 R 3 N 2,3 Induced constraint system for c T 1 x is unsatisfiable. 55

Example: McCarthy 91 Iteration 3: Try τ 3 τ 1 instead...., c T 3 x,..., c T 1 x,... τ 1 should not increase c T 3 x. Three sets of conditions: c T 1 x : I C 1 C 2 C 3 B 1 R 1 c T 2 x : I C 1 C 2 C 3 B 2 R 2 c T 3 x : I C 1 C 2 C 3 B 3 R 3 N 2,3 N 1,3 Induced constraint systems are satisfiable. 56

Example: McCarthy 91 Iteration 4: Guess τ 2 τ 1 (but τ 1 τ 2 works, too)...., c T 2 x,..., c T 1 x,... τ 1 should not increase c T 2 x. Three sets of conditions: c T 1 x : I C 1 C 2 C 3 B 1 R 1 c T 2 x : I C 1 C 2 C 3 B 2 R 2 N 1,2 c T 3 x : I C 1 C 2 C 3 B 3 R 3 N 2,3 N 1,3 Induced constraint systems are satisfiable. 57

Example: McCarthy 91 Iteration 4: is a linear order: c T 3 x, c T 2 x, c T 1 x τ 3 τ 2 τ 1 gives π: π(τ 1 ) = 3, π(τ 2 ) = 2, π(τ 3 ) = 1 58

Example: McCarthy 91 Θ : {s = 1} τ 1 : {x 101, s 0} {x = x 10, s = s 1} τ 2 : {x 101, s 2} {x = x 10, s = s 1} τ 3 : {x 100} {x = x + 11, s = s + 1} Solving the final constraint systems reveals ranking function 10s x + 90, x, x π(τ 1 ) = 3, π(τ 2 ) = 2, π(τ 3 ) = 1 supported by the invariant s 1 which proves that McCarthy 91 always terminates. 59

In Practice Name LOC L A P P/A P/L Sec meschach 28K 911 778 758 97% 83% 64 gnuplot 50K 826 312 301 96% 36% 88 gaim 57K 594 54 52 96% 8% 94 ffmpeg 108K 2674 2115 2081 98% 78% 198 Prototype unsound abstraction of C loops, using cil. Why unsound? Overflows, unsigned, doubles abstracted as Rs, etc. Aliasing, globals changed by function calls, etc. In principle, can be sound an engineering task. Synthesis of lexicographic linear ranking functions. Lexicographic function needed for 10 loops. 60

Example of Failed Abstraction List * iter = items; while (iter!= NULL) {... iter = iter->next; } Proving termination requires: proving that items is noncircular (nontrivial); abstracting iteration to counting down (trivial). 61

Example of Failed Abstraction char * ptr = input; while (*ptr!= \0 ) {... ptr++; } Proving termination requires: proving that input is a well-formed C string (nontrivial). abstracting pointer arithmetic to counting down (trivial). 62

Reasons for Failed Proofs 1. Prototype abstracter! 2. Need for invariants. Examples: i = 2 * i; i = i + k; i 0 to deduce increase in i k > 0 to deduce increase in i 3. Need for summarizing embedded loops. Example: while (i < n) { while (...) { i++; } summarize with i i i++; } 4. Need for function invariants. Example: i = i + strlen(str); 5. Loop does not terminate. knowledge about str and strlen 63

Appendix 64

Expanding a Farkas Lemma Rule R ij : Ix 0 τ i (xx ) 0 c T j x c T j x ɛ 0 λ I Ix + i 0 λ G G i x + g i 0 λ U U i x + V i x + u i 0 c j T x c j T x ɛ 0 λ T I I + λt G G i + λ T U U i = c j λ T U V i = c j λ T I i + λt G g i + λ T U u i ɛ λ I, λ G, λ U 0 ɛ > 0 x = (x 1,..., x m, 1) T (xx ) = (x 1,..., x m, x 1,..., x m, 1) T Expand assertions: x = (x 1,..., x m ) T x = (x 1,..., x m) T I, i define Θ G i, g i, U i, V i, u i define τ i Constraints over {λ I, λ G, λ U, c j, ɛ} 65

Lexicographic Synthesis let lex L : Θ, T = let sat o = ( τ T )(satisfiable L τ o) in let rec search o = sat o and match choose o with None true (search (o (τ τ ))) Some (τ, τ ) or (search (o (τ τ))) in search {} 66

Lexicographic Synthesis Calling satisfiable L τ j o generates and solves a constraint system for L, τ, and o, in which N ij is imposed iff (τ j τ i ) o Solving partial constraint systems guides the construction of lexicographic ranking functions. 67

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback